118 lines
3.2 KiB
Nix
118 lines
3.2 KiB
Nix
|
{ config, pkgs, lib, ... }:
|
||
|
let
|
||
|
cfg = config.services.hedgedoc.settings;
|
||
|
domain = "md.feal.no";
|
||
|
port = 3300;
|
||
|
host = "127.0.1.2";
|
||
|
authServerUrl = "https://auth.feal.no";
|
||
|
in {
|
||
|
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
|
||
|
sops.secrets."hedgedoc/env" = {
|
||
|
restartUnits = [ "hedgedoc.service" ];
|
||
|
};
|
||
|
|
||
|
services.hedgedoc = {
|
||
|
enable = true;
|
||
|
environmentFile = config.sops.secrets."hedgedoc/env".path;
|
||
|
settings = {
|
||
|
inherit domain port host;
|
||
|
protocolUseSSL = true;
|
||
|
sessionSecret = "$CMD_SESSION_SECRET";
|
||
|
|
||
|
allowFreeURL = true;
|
||
|
allowAnonymous = false;
|
||
|
allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
|
||
|
|
||
|
# dbURL = "postgres://hedgedoc@localhost/hedgedoc";
|
||
|
db = {
|
||
|
username = "hedgedoc";
|
||
|
database = "hedgedoc";
|
||
|
host = "/run/postgresql";
|
||
|
dialect = "postgresql";
|
||
|
};
|
||
|
|
||
|
email = false;
|
||
|
oauth2 = {
|
||
|
baseURL = "${authServerUrl}/oauth2";
|
||
|
tokenURL = "${authServerUrl}/oauth2/token";
|
||
|
authorizationURL = "${authServerUrl}/ui/oauth2";
|
||
|
userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
|
||
|
|
||
|
clientID = "hedgedoc";
|
||
|
clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
|
||
|
scope = "openid email profile";
|
||
|
userProfileUsernameAttr = "name";
|
||
|
userProfileEmailAttr = "email";
|
||
|
userProfileDisplayNameAttr = "displayname";
|
||
|
|
||
|
providerName = "KaniDM";
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
|
||
|
systemd.services.hedgedoc = {
|
||
|
requires = [
|
||
|
"postgresql.service"
|
||
|
# "kanidm.service"
|
||
|
];
|
||
|
serviceConfig = let
|
||
|
workDir = "/var/lib/hedgedoc";
|
||
|
in {
|
||
|
WorkingDirectory = lib.mkForce workDir;
|
||
|
StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
|
||
|
|
||
|
# Better safe than sorry :)
|
||
|
CapabilityBoundingSet = "";
|
||
|
LockPersonality = true;
|
||
|
NoNewPrivileges = true;
|
||
|
PrivateDevices = true;
|
||
|
PrivateMounts = true;
|
||
|
PrivateTmp = true;
|
||
|
PrivateUsers = true;
|
||
|
ProtectClock = true;
|
||
|
ProtectHome = true;
|
||
|
ProtectHostname = true;
|
||
|
ProtectKernelLogs = true;
|
||
|
ProtectKernelModules = true;
|
||
|
ProtectKernelTunables = true;
|
||
|
ProtectProc = "invisible";
|
||
|
ProtectSystem = "strict";
|
||
|
ReadWritePaths = [ workDir ];
|
||
|
RemoveIPC = true;
|
||
|
RestrictSUIDSGID = true;
|
||
|
UMask = "0007";
|
||
|
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
|
||
|
SystemCallArchitectures = "native";
|
||
|
# SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
|
||
|
};
|
||
|
};
|
||
|
|
||
|
services.postgresql = {
|
||
|
ensureDatabases = [ "hedgedoc" ];
|
||
|
ensureUsers = [{
|
||
|
name = "hedgedoc";
|
||
|
ensureDBOwnership = true;
|
||
|
}];
|
||
|
};
|
||
|
|
||
|
services.nginx.virtualHosts."${domain}" = {
|
||
|
listen = [
|
||
|
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
|
||
|
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
|
||
|
];
|
||
|
|
||
|
enableACME = true;
|
||
|
forceSSL = true;
|
||
|
|
||
|
locations = {
|
||
|
"/" = {
|
||
|
proxyPass = "http://${host}:${toString port}";
|
||
|
};
|
||
|
"/socket.io" = {
|
||
|
proxyPass = "http://${host}:${toString port}";
|
||
|
proxyWebsockets = true;
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
}
|